145 Top Web Sites Track Users despite “Do Not Track” Restrictions

Nearly 1.5% of the Internet’s top websites track visitors without their knowledge or permission, even when they have explicitly enabled their browser’s “Do Not Track” option, according to new research into the practice known as device fingerprinting. Also called browser fingerprinting, it is a process that collects the screen size, list of available fonts, software versions, and other properties of a visitor’s device to create a nearly-unique profile of that device that can be used to track them across the web.

Device fingerprinting, which targets either Flash or JavaScript and leaves no residual cookie file, is neutral technology: it can be used to detect fraud and protect against account hijacking, but also for marketing and tracking purposes. And according to documents published by The Guardian, the NSA used “browser fingerprinting” to track users of the Tor privacy service.

According to the study report, a team of researchers based in Europe found that 145 of the Internet’s top 10,000 websites use Flash-based fingerprinting, and that 404 of the top 1 million sites use JavaScript-based fingerprinting to track non-Flash devices.

But the researchers found the websites used device fingerprinting to track visitors even when they explicitly request not to be tracked by enabling the Do Not Track HTTP header, and that few sites informed visitors of the practice.

Not content with purely academic analysis, the researchers developed a tool called FPDetective that analyzes websites for suspicious scripts to help visitors evade device fingerprinting.

Although the researchers followed legal advice in not listing the websites it found using device fingerprinting, researcher Gunes Acar of KU Leuven University in Belgium told Ars Technica that they included orbitz.com, tmobile.co.uk, pokerstrategy.com, anonymizer.com, westernunion.com, and t-online.de.